1. Technical Field
The present invention relates in general to a system and method for reducing the time needed to scan a hard drive for viruses. In particular, the present invention relates to a system and method securely marking files that have been altered and, therefore, need to be checked for possible viruses.
2. Description of the Related Art
The current network computing environment has provided a rich opportunity for a plethora of virus, worm, and Trojan horse programs to proliferate. Recent viruses, such as “mydoom.exe,” often infect thousands, or even millions of computer systems. Some viruses, such as the “Melissa” virus cause considerable damage to computer systems and networks. In 1999, the Melissa virus forced Microsoft Corporation and other large companies to turn off their email systems until the virus could be contained.
Electronic infections include viruses, email viruses, worms, and Trojan horses. A virus is a small piece of software that piggybacks on real programs. For example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus also runs, and it has the chance to reproduce (by attaching to other programs) or wreak havoc on the computer system. An email virus moves around in email messages, and usually replicates itself by automatically mailing itself to other users found in the victim's email address book. A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. A worm copies itself to the new machine using the security hole, and then starts replicating itself from there, as well. Finally, a Trojan horse is simply a computer program. The program claims to do one thing, such as a computer game) but instead does damage when it is executed (e.g., it may erase the user's hard disk). Trojan horses typically do not replicate automatically.
As used herein, the general term “virus” is used to include virus programs as well as email virus programs, worm programs, and Trojan horse programs. To respond to the thread of viruses, many companies have developed detection and removal software applications that, among other things, provide the ability to scan files on a computer system for the presence of viruses. Virus protection application software use “virus definitions” to identify viruses that may reside on a user's computer system. When a virus is identified, the virus protection software can often eradicate the virus by removing the malicious code from the software or, if removal is not possible, the program that has the virus can be quarantined so that it cannot be executed and cause damage to the computer.
One challenge in using virus protection software is that users delay running the software because a full scan of a large computer system can take a great deal of time. This is because a full scan generally requires the virus protection software to check every file on the computer system that may be hiding a virus. Of course, delaying the execution of the virus protection software exposes the user's computer to a greater chance of infection. Many users have dealt with this challenge by scheduling execution of their virus protection software at night or during a time that the user is not currently using the computer. While this solution may work in some situations, it is not always practical, or possible. For example, it is not always practical, or possible, to leave some computer systems running when the system is unattended. In addition, some systems, such as servers, do not have an “idle” period during which a full scan would not impact system usage.
Another approach to this challenge includes reducing the amount of data stored on a hard drive. However, this approach imposes an artificial limit on system capacity and results in increased costs as more hard drives are needed. Another approach that increase costs is to increase the computer resources to enable the scan to be performed more quickly. An additional approach has been to impose a limit on the resources that the virus scan software is able to utilize. However, this approach increases the time needed to run a full system scan.
A final approach has been to reduce the number of files that are scanned at one time so that only those files that have been altered since the last scan are scanned by the virus protection software application. One approach to performing an incremental scan would be to add a flag maintained by the file system, such as the “archive” flag found in many operating systems which is commonly used for performing incremental backups. Unfortunately, this approach also has a serious flaw. The flaw of this approach is that a virus can defeat the scheme, and thereby remain undetected, by mimicking the scanning program and marking the infected file(s) as “already scanned.” Marking the infected files as already scanned would prevent the incremental virus protection software from scanning the infected files and discovering the virus.
What is needed, therefore, is a system and method that securely marking files that have already been scanned so that a virus is unable to mimic the marking activity. Furthermore, what is needed is a system and method where a hard drive maintains alteration information on a sector-by-sector basis in a secure fashion.